Tor network used to command Skynet botnet

Security researchers have identified a botnet controlled by its creators over the Tor anonymity network. It's likely that other botnet operators will adopt this approach, according to the team from vulnerability assessment and penetration testing firm Rapid7.

The botnet is called Skynet and can be used to launch DDoS (distributed denial-of-service) attacks, generate Bitcoins -- a type of virtual currency -- using the processing power of graphics cards installed in infected computers, download and execute arbitrary files or steal login credentials for websites, including online banking ones.

However, what really makes this botnet stand out is that its command and control (C&C) servers are only accessible from within the Tor anonymity network using the Tor Hidden Service protocol.

Tor hidden services are most commonly Web servers, but can also be Internet Relay Chat (IRC), Secure Shell (SSH) and other types of servers. These services can only be accessed from inside the Tor network through a random-looking hostname that ends in the .onion pseudo-top-level domain.

The Hidden Service protocol was designed to hide the IP (Internet Protocol) address of the clients from the service and the IP address of the service from the clients, making it almost impossible for the parties involved to determine each other's physical location or real identity. Like all traffic passing through the Tor network, the traffic between a Tor client and a Tor hidden service is encrypted and is randomly routed through a series of other computers acting as Tor relays.

Tor Hidden Services are perfect for a botnet operation, said Claudio Guarnieri, a security researcher at Rapid7 and creator of the Cuckoo Sandbox malware analysis system, in an email on Friday. "As far as I understand, there is no technical way neither to trace and definitely neither to take down the Hidden Services used for C&C."

Guarnieri published a blog post about the Skynet botnet on Thursday. He believes that the botnet is the same one described by a self-confessed botnet operator in a "IAmA" (I am a) thread on Reddit seven months ago. Reddit "IAmA" or "AMA" (ask me anything) threads allow people who perform various jobs or have various occupations to answer questions from other Reddit users.

Despite the wealth of information about the botnet offered by its creator on Reddit seven months ago, the botnet is still alive and strong. In fact, Rapid7 researchers estimate that the botnet's current size is of 12,000 to 15,000 compromised computers, up to 50 percent more than what its operator estimated 7 months ago.

The malware behind this botnet is distributed through Usenet, a system originally built at the beginning of the 1980s as a distributed discussion platform, but now commonly used to distribute pirated software and content, commonly known as "warez."

"We incidentally found it on Usenet and started digging there and realized the operator is automatically repackaging and uploading the malware for every new popular warez release," Guarnieri said. "It could be likely found on other file-sharing platforms too, but we have no proof at this point."

Content from Usenet is commonly downloaded by users and redistributed through other file-sharing technologies like BitTorrent.

The Skynet malware has several components: an IRC-controlled bot that can launch various types of DDoS attacks and perform several other actions, a Tor client for Windows, a so-called Bitcoin mining application and a version of the Zeus Trojan program, which is capable of hooking into browser processes and stealing log-in credentials for various websites.

While good for anonymity, Tor does have disadvantages for a botnet operation, such as increased latency and sometimes instability.

"Obviously they [the botnet operators] can't tunnel just everything through Tor," Guarnieri said. "If the botnet is performing some heavy, frequent and noisy communication, then it could be problematic."

However, if the goal is just for the infected machines to be able to retrieve commands from a server in a reasonable time without exposing its location, then Tor works well enough, he said. "I'm pretty sure more botherders will definitely replicate this design."

"This is a major reason for concern," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor Bitdefender, via email. "If a single botherder can stay anonymous for seven months by routing C&C traffic via TOR, then it will definitely stick with other botmasters."

That said, Botezatu believes that Tor might not be suitable for large botnets because the Tor network, which is already relatively slow, might not be able to handle a lot of concurrent connections.

The impact of botnets on the Tor network itself really depends on the scale of abuse, Guarnieri said. One feature of the Skynet botnet is that each infected machine becomes a Tor relay, which ironically makes the network larger and able to sustain the load, he said.

Botnet creators have recently implemented peer-to-peer solutions for command and control purposes rather than Tor-based ones, because they provide the same level of anonymity and increased resiliency without introducing the latency problems, Botezatu said. In addition, peer-to-peer implementations have already been well documented and tested, he said.

The Tor-based approach is not new, said Marco Preuss, head of the German global research and analysis team at antivirus vendor Kaspersky Lab, via email. "In the past years several presentations and research papers mentioned this method for botnets."

"One of the most important disadvantages is the complex implementation -- errors lead to easy detection -- and also the speed is a drawback," Preuss said. Depending on how Tor is used in the botnet infrastructure, there might be solutions to detect and block the traffic, as well as to disable the botnet, he said.

"A single botnet of about ten thousand machines isn't a stringent problem for the global Internet, but, if things escalate, we're sure that node administrators will cooperate with ISPs and law enforcement to take down malicious traffic," Botezatu said. "After all, Tor has been designed for anonymity and privacy, not for cyber crime."

"One countermeasure that companies or ISPs could eventually enforce in their firewall is to drop all packets that originate from known TOR nodes, in order to minimize the amount of potentially malicious traffic they receive," Botezatu said. "Of course, they might also end up blacklisting a number of legit Tor users looking for anonymity."

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.